Cisco 2600 VPN with RADIUS (AD) authentication?

paradigm · 6 May 2010 at 10:25

I'm currently trying to configure a 2611XM as a VPDN endpoint, preferably using L2TP, and using RADIUS to authenticate with a Server 2008 R2 Active Directory.

Now, I can get the router to authenticate logon (con/vty) requests with AD, which proves that I have the NPS role configured correctly on the 2008 R2 box, however the VPN connection always errors with Error 629 (The connection was closed by the remote computer).

If I set up a basic PPTP or L2TP VPDN using local authentication (user testvpn password 0 testvpn) then I can connect fine, but obviously it isn't qhat I'm trying to achieve.

Anyone got any ideas?

branddaly · 6 May 2010 at 11:57

How are you telling the router to use the radius to authentication the ppp connections using radius?

I'd expect something like;

aaa group server radius radiusadsl
server 1.1.1.1 auth-port 1812 acct-port 1813
server 1.1.1.2 auth-port 1812 acct-port 1813
!
aaa authentication ppp default local group radiusadsl

so that it knows the incoming PPP session should use your radius. If you already have this are you able to post the config (knock out any passwords or IP's you don't want visible)?

paradigm · 6 May 2010 at 11:59

It's configured like this:

aaa authentication login default group radius local enable
aaa authentication ppp default group radius

radius-server host x.x.x.x auth-port 1812 acct-port 1813 key longwindedhexadecimalbasedkey

It appears that it's when I add the line

aaa authorization network default group radius if-authenticated

it all falls down and refuses to work.

branddaly · 6 May 2010 at 12:33

My authorisation line is similar, though I've not used 'if-authhenticated' just

aaa authorization network default group radiusadsl

My complete config for a vpdn termination is;

!
aaa group server radius radiusadsl
server 1.1.1.1 auth-port 1812 acct-port 1813
server 1.1.1.2 auth-port 1812 acct-port 1813
!
aaa authentication ppp default local group radiusadsl
aaa accounting delay-start
aaa accounting update newinfo periodic 30
aaa accounting network default start-stop group radiusadsl
aaa session-id common
!
vpdn-group brandtest
accept-dialin
protocol l2tp
virtual-template 101
terminate-from hostname testvpdngroup
source-ip 3.3.3.3
lcp renegotiation on-mismatch
l2tp tunnel password 7 <password>
!
interface Virtual-Template101
description *** Internet shared - single user - ADSL ***
ip unnumbered Loopback13
no ip redirects
no ip proxy-arp
ip tcp adjust-mss 1408
no logging event link-status
no snmp trap link-status
no ppp lcp fast-start
ppp mru match
ppp authentication chap pap callin
!
interface Loopback13
ip address ip 3.3.3.3 255.255.255.255

Are radius debugs giving you any indication of why the authentication is failing~?

paradigm · 10 May 2010 at 09:32

Ok, finally got the AD authentication working, but now have a new problem.

Traffic that comes in through the VPN doesn't appear to route back out through our proxy (Microsoft Forefront TMG) to the internet. Internal web traffic (such as http://intranet) works fine, but try and get beyond the perimeter and you get nothing.

I do have ip route 0.0.0.0 0.0.0.0 10.6.1.1 (10.6.1.1 being our core switch) set in the 2600's config, but I get nothing.

Ideas?

Moley · 10 May 2010 at 09:42

What does your routing table look like? (sh ip ro)

paradigm · 10 May 2010 at 09:52

Here you go:

EF-VPDN#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.6.1.1 to network 0.0.0.0

10.0.0.0/24 is subnetted, 2 subnets
C 10.6.1.0 is directly connected, FastEthernet0/0.1
C 10.5.1.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 10.6.1.1
EF-VPDN#